Encrypted ZFS with Ubuntu

Secureand Sound

Lars Kotthoff

ZFS is one of the most advanced filesystems, and now it can be used natively on Linux. One drawback is that native ZFS encryption is not available, but this article shows how use Linux's disk encryption to install Ubuntu onto an encrypted disk with ZFS.

The ZFS filesystem [1] was developed by Sun Microsystems and released as open source to the public in November 2005 as part of OpenSolaris. Then, as now, it offers features not found in other filesystems. One of the main design aims was to make it as robust and reliable as possible. ZFS stores not only the data but also cryptographic checksums of the data, which allow it to identify data that has been altered because of bit-rot, power failures, or people playing with magnets. Today, after years of development, improvements, and additional features, there is hardly anything ZFS does not do.

Although many features, such as support for various RAID modes, hot-swapping of disks and very large limits on data size, number of files and similar attributes, are geared toward the enterprise user, plenty of others will be of interest to home users. For example, ZFS supports transparent compression, with a choice of different compression algorithms and levels. Data can be de-duplicated automatically, making all those backup copies less space-consuming. Speaking of backups, ZFS supports block-level snapshots that only consume space when files actually change as well as the ability to send and receive those snapshots as filesystem streams over the network. Anybody who has had to run rsync
on large numbers of files will appreciate the performance improvement that this brings.

Although ZFS has been the main filesystem on OpenSolaris since 2005 and has been fully supported on FreeBSD and other BSDs for several years, its adoption by the Linux community [2] has been somewhat slower, not because of lack of enthusiasm, but rather because of legal issues. ZFS was released under the Common Development and Distribution License (CDDL). This license is not compatible with the GPL, meaning that ZFS cannot be bundled with the Linux kernel. One way around this restriction was to implement ZFS support through a Filesystem in Userspace (FUSE) module.This approach comes with a number of limitations, most notably, a significant performance penalty is incurred for running through FUSE, and ZFS cannot be used as a root filesystem.

More recently, the ZFS on Linux project has provided another solution to this problem. It implements ZFS support as a kernel module that does not rely on FUSE, but exploits a licensing loophole. As long as the ZFS kernel module is compiled by the user, and the user does not distribute it, there are no legal problems. Thus, ZFS on Linux makes it feasible to use ZFS as a root filesystem on Linux, and an increasing number of distributions are providing ZFS on Linux packages.

Among the alternatives to ZFS are Btrfs for Linux and HAMMER for DragonFly BSD. Both aim to support similar feature sets, but neither is currently as stable and mature as ZFS. Btrfs, in particular, still has a number of stability issues. The mainstream adoption of HAMMER is further inhibited by the fact that it is only fully supported in a niche operating system.

One major feature is, however, missing in the current open source version of ZFS: filesystem encryption. Although it's implemented and available in Solaris, this code has not made its way to the public yet. With the acquisition of Sun Microsystems by Oracle and the subsequent change of attitude toward derivative open source projects, it is questionable whether this code will be released.

Even though native ZFS encryption is not currently available, there is no reason to expose ZFS data to anybody who cares to look. Many block-level disk encryption solutions are available, and they are all compatible with ZFS. PC BSD (a FreeBSD derivative) even offers support for an encrypted ZFS root filesystem in the installer; a simple click is enough to set it up. On Linux, this procedure is not as simple. No installer offers the option to use ZFS at all at the moment. With some additional effort, however, this is not too difficult to achieve.

In the remainder of this article, I will assume that you want to install Ubuntu 12.10. Most of the steps described are not specific to this particular distribution, but it provides packages for all the relevant software (if not already included in the installer). For other distributions, the installation will be similar, but additional or different steps may be required to retrieve, compile, and install software.

Warning

The instructions below describe how to set up the basic system with respect to the filesystem and related matters. To complete the steps, you should be familiar with how Linux works and comfortable with using the command line. You may need to set up some additional items, such as support for specific hardware yourself.

After following the steps in this article, you will have only a very basic installation that will require significant additional setup. If you are not comfortable configuring and installing Ubuntu Linux from scratch, do not try to do this without help from someone who is.

Running a pure ZFS Linux system is still somewhat experimental. Although the implementation of ZFS itself can be considered stable and mature, the interface to the Linux kernel is relatively new. Furthermore, there is very little support for the setup described here. Things may break when upgrading the system and if they do, your choice of tools to recover and fix your system will be limited. So, if you still feel adventurous enough to undertake this installation, read on.

Getting Started

Before starting the actual installation, get the latest Ubuntu 12.10 boot image. Although it's possible to install a 32-bit ZFS system, the 64-bit image is highly recommended. To begin, boot the machine you want to install with the image that you obtained and choose Try Ubuntu
at the initial screen. Once the live distribution is up and running, open a terminal and become root.

The first thing you should do here is to set up the network; you will require a network connection during the installation. After that, partition the hard drive on which you want to install Ubuntu. You will need a small partition to boot from. The rest of the disk can be allocated to the encrypted ZFS partition. Remember to set the bootable
flag on your boot partition. Then, create a filesystem of your choice on that partition. I will assume that the disk you want to use for the installation is /dev/sda
with boot partition /dev/sda1
and the rest of the disk in /dev/sda2
. If the device name differs on your system or you prefer to use UUIDs, change the instructions below accordingly.